b"                      0\n\n\n        MANAGEMENT OF THE DEFENSE INFORMATION\n           SYSTEMS AGENCY YEAR 2000 PROGRAM\n\n\n\nReport No. 98-184                         August 4,1998\n\n\n\n\n              Office of the Inspector General\n                  Department of Defense\n\x0c  Additional Information and Copies\n\n  To obtain additional copies of this audit report, contact the Secondary Reports\n  Distribution Unit of the Analysis, Planning, and Technical Support Directorate at\n  (703) 604-8937 (DSN 664-8937) or FAX (703) 604-8932 or visit the Inspector\n  General, DOD Home Page at: WWW.DODIG. OSD.MIL.\n\n  Suggestions for Audits\n\n  To suggest ideas for or to request future audits, contact the Planning and\n  Coordination Branch of the Analysis, Planning, and Technical Support\n  Directorate at (703) 604-8908 (DSN 664-8908) or FAX (703) 604-8932. Ideas\n  and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: APTS Audit Suggestions)\n                    Inspector General, Department of Defense\n                    400 Army Navy Drive (Room 801)\n                    Arlington, Virginia 22202-2884\n\n  Defense Hotline\n\n  To report fraud, waste,or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to\n  HotIine@DODIG.OSD.MIL; or by writing to the Defense Hotline, The\n  Pentagon, Washington, D.C. 20301-1900. The identity of each writer and caller\n  is fully protected.\n\n\n\n\nAcronyms\n\nASD(C31)            Assistant Secretary of Defense (Command, Control,\n                      Communications, and Intelligence)\nDISA                Defense Information Systems Agency\nY2K                 Year 2000\n\x0c                             INSPECTOR    GENERAL\n                            DEPARTMENT OF DEFENSE\n                              400 ARMY NAVY DRIVE\n                            ARLINGTON, VRGINIA 22202\n\n\n\n\n                                                                          August 4, 1998\n\n\nMEMORANDUM FOR DIRECTOR, DEFENSE INFORMATION SYSTEMS\n               AGENCY\nSUBJECT: Audit on Management of the Defense Information Systems Agency Year\n         2000 Program (Report No. 98-184)\n\n\n     We are providing this audit report for review and comment. We considered\ncomments on the draft report in preparing the final report.\n\n         Comments on the draft report generally conformed to the requirements of DOD\nDirective 7650.3. However, DISA needs to clarify with DOD officials whether system\ninterface agreements have to be formally established for selected communications\nsystems. DOD Directive 7650.3 requires that all recommendations be resolved\npromptly and there is special urgency regarding Year 2000 conversion issues.\nAccordingly, we ask that you provide planned actions and completion dates regarding\nthis issue by September 4, 1998.\n\n        We appreciate the courtesies extended to the audit staff. Questions on the audit\nshould be directed to Ms. Mary Lu Ugone at (703) 604-9049 (DSN 664-9049) or\nMr. James W. Hutchinson at (703) 6049060 (DSN 6649060). See Appendix C for\nthe report distribution. The audit team members are listed inside the back cover.\n\n\n\n\n                                         Robert J. zieberman\n                                      Assistant Inspector General\n                                              for Auditing\n\x0c\x0c                          Office of the Inspector General, DOD\nReport No. 98-184                                                       August 4,1998\n (Project No. 8AS-0005)\n\n         Management of the Defense Information Systems Agency\n                          Year 2000 Program\n\n                                 Executive Summary\n\nIntroduction. This reportis one of a series being issued by the Inspector General,\nDOD, in accordance with an informal partnership with the Chief Information Officer,\nDOD, to monitor DOD efforts to address the year 2000 computing challenge.\n\nThe cause of the year 2000 problem is that automated systems typically use two digits\nto represent the year, such as \xe2\x80\x9c98\xe2\x80\x9d representing 1998, to conserve on electronic data\nstorage and reduce operating costs. With this two-digit format, however, the year 2000\nis indistinguishable from 1900, or 2001 from 1901. As a result of the ambiguity,\nsystem or application programs that use dates to perform calculations, comparisons, or\nsorting could generate incorrect results when working with years after 1999. Unless\nthe problem is corrected, the automated systems may fail. Therefore, DOD manage-\nment issued a Year 2000 Management Plan that provides an overall strategy to assist\nthe DOD Components in resolving problems related to the year 2000. The five phases\nincluded in the strategy are awareness, assessment, renovation, validation, and\nimplementation.\n\nAudit Objectives. The audit objective was to evaluate the Defense Information\nSystems Agency progress in preparing its information and technology systems for\nyear 2000 compliance. This report discusses the program management of the\nyear 2000 initiatives.\n\nAudit Results. The Defense Information Systems Agency had implemented numerous\nactions to improve its year 2CKKl  program, but some changes are still needed. We\nbriefed management regarding the limited documentation available to support the year\n2000 work progress specifically related to the dissemination of guidance, prioritizing\ninterface identification, funding, contingency planning, testing and certification.\nWithout a greater effort by the Defense Information Systems Agency to revise its\nyear 2000 program to better comply with Federal and DOD requirements, the Defense\nInformation Systems Agency faces increased risks that its information and technology\nsystems may not operate properly in the year 2000 and beyond. The audit results are\ndetailed in Part I.\n\nSummary of Recommeudatious. We recommend that the Director, Defense\nInformation Systems Agency, update the management plan to incorporate the changes\nto the extent of the guidance documented within the DOD Year 2000 Management Plan;\ndisseminate guidance to the operating level; follow the exit criteria prescribed in the\nDOD Year 2000 Management Plan to accurately document the reported progress for\nyear 2000; identify all interfaces to resolve any problems and communicate the\nresolutions to all interface partners; provide cost estimates for each system; develop\n\x0ccontingency plans for systems that will not complete the revised implementation phase\nscheduled for December 1998; and determine system year-2000 compliance status only\nafter the system has been tested and certified as compliant.\nManagement Comments. DISA generally concurred with the recommendations and\ndescribed both ongoing and newly initiated actions to improve DISA internal Y2K\nguidance and requirements and to ensure that it includes DOD-wideY2K requirements\nrelated to system interface agreements, tracking Y2K costs, and formally certifying that\nDISA systems are Y2K compliant. DISA also commented that the status of DISA\nsystems presented in the report is outdated and does not accurately reflect the current\nstatus of DISA systems. They also described extensive efforts to ensure that Y2K\nguidance, requirements, and other related information, reaches those who are directly\ninvolved in Y2K efforts. See Part 1 for a summary of management comments and Part\nIII for the complete text of the comments.\nAudit Response. DISA comments were generally responsive. We recognize that\nDISA has made commendable improvements in its Y2K efforts since we began the\naudit. Especially noteworthy are DISA efforts to disseminate Y2K requirements and\ninformation down to \xe2\x80\x9cthe trenches. n However, in verifying DISA actions taken on the\nrecommendations, we could not confii that DODY2K officials had waived interface\nagreement requirements for telecommunicationstransport systems. DISA believes that\na need for interface agreements is obviated through adherence to international and\nnational standards and that DODha\xe2\x80\x99dprovided an exemption in that regard. We were\nunable to verify such an exemption in the DODY2K Management Plan or within the\nOffice of Year 2000 Oversight and Contingency Planning. We ask that DISA clarify\nthe DODrequirement for Y2K system interfaces for communications transport systems\nwith DODY2K officials and provide comments on this final report by September 4,\n1998. The response should specify what actions have been agreed to with the Office of\nYear 2000 Oversight and Planning and estimated completion dates.\n\n\n\n\n                                           ii\n\x0cTable of Contents\n\nExecutive Summary                                                           i\n\nPart I - Audit Results\n      Audit Background                                                     2\n      Audit Objective                                                      3\n      Status of the Defense Information Systems Agency Year 2000 Program   4\n\nPart II - Additional Information\n      Appendix A. Audit Process and Prior Coverage\n        Scope                                                              16\n        Methodology                                                        16\n        Prior Coverage                                                     17\n      Appendix B. Summary of Defense Information Systems Agency\n                   Systems Reviewed                                        18\n      Appendix C. Report Distribution                                      21\n\nPart III - Management Comments\n      Defense Information Systems Agency Comments                          24\n\x0c\x0cPart I - Audit Results\n\x0cAudit Background\n\n    The cause of the year 2000 (Y2K) problem is that automated systems typically\n    use two digits to represent the year, such as \xe2\x80\x9c98\xe2\x80\x9d representing 1998, to\n    conserve on electronic data storage and reduce operating costs. With this\n    two-digit format, however, the Y2K is indistinguishable from 1900, or 2001\n    from 1901. As a result of the ambiguity, system or application programs that\n    use dates to perform calculations, comparisons, or sorting could generate\n    incorrect results when working with years after 1999. Calculation of Y2K dates\n    is further complicated because the year 2000 is a leap year, the first century leap\n    year since 1600. This means that computer systems and applications must\n    recognize February 29, 2000, as a valid date. Unless the problem is corrected,\xe2\x80\x99\n    the automated systems may fail.\n\n    Because of the potential failure of computers to run or function throughout the\n    Government, the President issued an executive order, \xe2\x80\x9cYear 2000 Conversion, \xe2\x80\x9d\n    dated February 4, 1998, making it policy that Federal agencies ensure that no\n    critical Federal program is disrupted because of the Y2K problem. In addition,\n    the head of each agency must ensure that efforts to address the Y2K problem\n    receive the highest priority attention in the agency. Further, the General\n    Accounting Office has designated resolution of the Y2K problem as a high-risk\n    area, and DOD has recognized the Y2K issue as a material management control\n    weakness area in the FY 1997 Annual Statement of Assurance.\n\n    Impact *on DOD. As of January 1998, DOD reported 2,915 mission-critical\n    systems . Of those systems, 530 were Y2K compliant, 330 were scheduled to be\n    replaced, 1,891 were being repaired, and 164 were being retired. The total cost\n    of the DOD Y2K effort is estimated at about $2 billion.\n\n    DOD Y2K Management Strategy. In his role as the DOD Chief Information\n    Officer, the Assistant Secretary of Defense (Command, Control,\n    Communications, and Intelligence) issued the \xe2\x80\x9cDOD Year 2000 Management\n    Plan\xe2\x80\x9d (DOD Management Plan) in April 1997. The DOD Management Plan\n    provides the overall DOD strategy and guidance for inventorying, prioritizing,\n    fixing, or retiring systems, and monitoring progress. The DOD Management\n    Plan states that the DOD Chief Information Officer has overall responsibility for\n    overseeing the DOD solution to the Y2K problem. Also, the DOD Management\n    Plan makes the DOD Components responsible for implementing the five-phase\n    Y2K management process. The DOD Management Plan includes a description\n    of the five-phase Y2K management process. The most current DOD Manage-\n    ment Plan, For Signature Draft Version 2.0, June 1998, accelerates the target\n    completion dates for the renovation, validation, and implementation phases.\n    The new target completion date for implementation of mission-critical systems\n    is December 3 1, 1998.\n\n\n    *A system that when its capabilities are degraded, the organization realizes a resulting loss of a\n    core capability.\n\n                                                2\n\x0c     In a memorandum for the heads of executive departments and agencies, dated\n     January 20, 1998, the Office of Management and Budget established a new\n     target date of March 1999 for implementing solutions to all systems. The new\n     target completion date for the renovation phase is September 1998.\n\n     Defense Information Systems Agency. The Defense Information Systems\n     Agency (DISA) is the DOD agency responsible for information technology and\n     is the central manager for major portions of the DOD information infrastructure.\n     As a result, DISA is obligated to provide Y2K-compliant computing platforms,\n     networks, and services to the Services, DOD Components, and other customers.\n\n     Separate Y2K coordination responsibilities are assigned for the DISA-owned\n     DOD corporate systems and the internal DISA-owned systems. The Office of\n     the Deputy Director for Command, Control, Communications, Computers, and\n     Intelligence has responsibility for the DISA-owned corporate systems, and the\n     Office of the Chief Information Officer manages the internal DISA-owned\n     systems. For oversight and coordination purposes, the Vice Director meets\n     weekly with representatives of each DISA Directorate to discuss progress made\n     and to help resolve problems related to the DISA Y2K program.\n\nAudit Objective\n     The objective of the audit was to determine whether DISA is adequately\n     preparing its information technology systems to resolve the date-processing\n     issues for Y2K. Specifically, the objective was to determine whether the DISA\n     has complied with the DOD Management Plan.\n\x0cStatus of the Defense Information\nSystems Agency Year 2000 Program\nThe DISA has recognized the importance of Y2K and has taken\nnumerous positive actions in addressing the Y2K problem. However,\nDISA needs to address the following critical factors to be in compliance\nwith the DOD Management Plan:\n\n        l   update the DISA Y2K Problem Management Plan (hereafter\nreferred to as the DISA Y2K Management Plan), dated November 20,\n1996, to include the requirements of the DOD Management Plan;\n\n      l  disseminate the DOD Management Plan, the DISA Y2K\nManagement Plan, and other guidance in entirety to the operating levels;\n\n        l  accurately report and document DISA Y2K status as\nprescribed in the exit criteria within the DOD Management Plan;\n\n            identify all interfaces and assigning risk and efforts to resolve\nY2K prfiblems for document agreements with interface partners on how\nthe interfaces should be made Y2K compliant;\n\n       l  prepare updated Y2K cost estimates for each system to\ndetermine whether additional funding is needed;\n\n        l   develop contingency plans for mission-critical systems in\naccordance with the DOD Management Plan and communicating the\nplans to interface partners; and\n\n      l   validate systems as Y2K compliant only after fully\ndocumenting test results using the official compliance checklists.\n\nUnless DISA adequately addresses these issues, its mission-critical\nsystems may not successfully operate in the year 2000 and beyond.\n\n\n\n\n                              4\n\x0c          Status of the Defense Information    Systems Agency Year 2000 Program\n\n\n\n\nActions Taken to Address the Year 2000 Problem\n    Recognizing the importance of Y2K, DISA implemented various positive\n    actions to resolve the Y2K problem. For example, DISA established a Y2K\n    program management structure to improve management awareness and to\n    provide frequent high-level guidance and direction in developing and executing\n    the DISA Y2K strategy.\n\n    The DISA efforts to address the Y2K problem include the following additional\n    actions:\n\n           l   DISA sponsored periodic meetings between systems\xe2\x80\x99 owners and the\n           central design activities responsible for modifying the programs run by\n           management representatives;\n\n           l   DISA established DISA Y2K coordinators for DISA-owned DOD\n           corporate systems and another for internal DISA-owned systems;\n\n           l   DISA developed its Y2K Management Plan, which provides\n           guidance on the strategies, policies, and procedures needed to identify\n           and resolve Y2K issues;\n\n           l    DISA rated the criticality of all its information systems and used the\n           rating to categorize the systems as mission critical or non-mission\n           critical;\n\n           l   DISA identified sufficient funds to pay for all of its necessary Y2K\n           solutions without affecting other necessary operations; and\n\n           l  DISA developed the DISA Y2K Testing Guideline, dated\n           December 30, 1997.\n\n    Also, the DISA Director required that all DISA-owned and maintained systems\n    complete the Y2K implementation phase by October 1, 1998. The requirement\n    accelerated the Y2K program milestones in the DOD Management Plan by\n    3 months for mission-critical systems and by 6 months for non-mission-critical\n    systems. The major benefit of the requirement is that DISA will have a year to\n    run its systems in an operational mode and to work out any problems before the\n    turn of the century.\n\n    These aggressive actions by DISA are commendable. However, DISA needs to\n    emphasize several Y2K issues more forcefully, as detailed in the following\n    discussion. See Appendix B for a summary of issues related to the specific\n    systems reviewed.\n\n\n\n\n                                        5\n\x0cStatus of the Defense Information Systems Agency Year 2000 Program\n\n\nDISA Year 2000 Guidance\n      The DISA Y2K program coordinators need to devote greater efforts to updating\n      the DISA Y2K Management Plan and disseminating current guidance to pro-\n      gram and management representatives. A detailed summary of the results of the\n      review is in Appendix B of this report.\n\n      Updating the DISA Y2K Management Plan. DISA needs to update its Y2K\n      Management Plan and modify its strategy to more closely conform with the\n      current version of the DOD Management Plan. The ASD(C31) signed\n      Version 1 .O of the DOD Management Plan in April 1997. Later, the ASD(C31)\n      produced two updated versions and issued the unofficial Version 2.0 in January\n      1998.\n\n      DISA prepared the DISA Y2K Management Plan in November 1996, 6 months\n      before the ASD(C31) issued Version 1.O of the DOD Management Plan.\n      Because the DISA Y2K Management Plan preceded the DOD Management Plan,\n      a management representative from the DISA Y2K Program Office stated that no\n      plans would be made to modify the DISA Y2K Management Plan. The DISA\n      Y2K Management Plan includes more restrictive time requirements than the\n      most recent Version 2.0 of the DOD Management Plan; however, it is\n      significantly more lenient in other areas, which is reflected in the results of this\n      audit. The DISA Y2K Management Plan does not mirror the requirements of\n      the DOD Management Plan for contingency planning, estimating Y2K costs,\n      identifying time and other resource requirements, procurement planning, or\n      preparing written Y2K strategies.\n\n      Dissemination of Guidance. DISA not only needs to update its DISA Y2K\n      Management Plan but also needs to make its component organizations more\n      fully aware that DISA and DOD have published useful Y2K strategies and\n      requirements. We spoke with 24 manager representatives responsible for the 35\n      separate systems in our sample. Of the 24 management representatives, 14\n      were not knowledgeable of the DOD Management Plan or the DISA Y2K\n      Management Plan. However, the lack of awareness should not prevent the\n      management representatives from taking specific actions to resolve any Y2K\n      issues. We encourage DISA to disseminate both documents because they are\n      useful and necessary resources for system and program managers working the\n      Y2K issues. The DOD Management Plan outlines responsibilities and\n      milestones and provides guidelines to ensure that no system fails because of\n      Y2K problems.\n\n      The DOD Management Plan provides DISA component organizations with\n      specific requirements for the five-phase management process and with exit\n      criteria for reporting the progression from one phase to the next. Furthermore,\n      DISA already has instructed management representatives to report the Y2K\n      progression status in accordance with the requirements of the DOD Management\n      Plan. The review identified that DISA management had not adequately\n      documented the Y2K progression status.\n\n\n                                           6\n\x0c           Status of the Defense Information Systems Agency Year 2000 Program\n\n\nDocumentation\n     We met or consulted with system managers responsible for DISA mission-\n     critical information systems from November 1997 through February 1998. We\n     looked for minimal information on problem definition, milestones for\n     completion of each phase, resource requirements, procurement plans or other\n     methods of making the system Y2K compliant, and asked DISA management\n     representatives to provide written strategies for making their individual systems\n     Y2K compliant. The DOD Management Plan requires that DOD Components\n     and management representatives develop strategies to resolve their Y2K\n     problems in passing from the assessment phase to the renovation phase. In our\n     sample of 35 DISA information systems, with the exception of the 3 retired\n     systems, the 3 systems already replaced or scheduled to be replaced, and the\n     2 systems managed but not owned by DISA, DISA reported 27 systems as\n     either in the renovation phase or beyond. Of the 27 systems, 21 systems had no\n     written Y2K strategy. However, the management representatives provided an\n     acquisition strategy document dated December 24, 1997, that required all new\n     information and technology items to be Y2K compliant. But, the DOD\n     Management Plan requires a planned strategy to be completed in the assessment\n     phase that shows the start and ending date of each phase, establishes major steps\n     to convert and test Y2K solutions, and identifies the infrastructure and resources\n     needed to complete the Y2K compliance. Also, the DOD Management Plan\n     requires that the strategy be updated as exit criteria in each phase of the\n     management process. Had the DISA management completed the required exit\n     criteria, the interface identifications would have been completed, prioritized,\n     documented, and available to assist the interface partners in readying their\n     systems to meet the Y2K computer challenge.\n\n\nInterface Identification Priority\n     The DOD Management Plan considers identification of interfaces to be the\n     highest priority because the transfer of electronic data has the potential to\n     introduce errors, propagate errors, or both from one DOD Component to\n     another. As a result, the DISA management representatives should give greater\n     priority to identifying interfaces, preparing written agreements with interface\n     partners, and identifying Y2K solutions for the interfaces.\n\n     Interface Defined. The DOD Management Plan defines an interface as a\n     boundary across which two systems pass electronic data. An interface might be\n     a hardware connector or it might be a convention to allow communication\n     between two software systems. Interfaces may connect applications, programs,\n     or systems internally within DISA or between DISA and other DOD\n     Components. Interfaces may also connect systems among DOD and external\n     organizations.\n\n     Interface Identification. DISA has not completed the interface identification\n     process. In the DISA report on Y2K status for the quarter ending January\n     1998, DISA identified 98 DISA-managed systems as mission critical and 127\n                                         7\n\x0cStatus of the Defense Information   Systems Agency Year 2000 Program\n\n\n       DISA-managed systems as noncritical. Also, DISA reported a total of 225\n       interfaces for the mission-critical and non-mission-critical systems. A\n       management representative from the Office of the Chief Information Officer\n       stated that most DISA mission-critical systems do not interface with other\n       internal or external systems, although many DISA systems interface with 20 or\n       more systems. Of the 24 management representative we spoke with, 5 indicated\n       that their systems did interface with others and readily stated that they had not\n       yet started to identify interfaces.\n\n      Prioritization and Risk Assessment. The DOD Management Plan asks\n      Components to identify all system interfaces and to use the assessment to\n      prioritize mission-critical system interfaces for DISA and other organizations.\n      Because DISA has not emphasized interface identification, it has not been able\n      to prioritize the importance of the system for system interface partners.\n      Recently, management representatives started to identify all interfaces, but the\n      action is still ongoing. In one instance, a management representative provided\n      updated information that showed one system\xe2\x80\x99s number of interfaces had\n      increased to 96 since the initial review.\n\n      Documented Interface Agreements. After DISA identifies its interfaces, it\n      needs to communicate when and in what manner it plans to resolve the specific\n      interface issue, so that the partners will be able to accommodate DISA Y2K\n      changes. The DOD Management Plan requires DOD Components to document\n      and obtain system interface agreements in the form of a Memorandum of\n      Agreement or its equivalent. A sample Y2K compliance checklist included in\n      the DOD Management Plan states that DOD Components and each interface\n      partner should negotiate an agreement dealing with Y2K issues. Also, each\n      interface partner should discuss and verify consistent implementation of Y2K\n      corrections for compliance when date data pass between systems.\n\n      Of the 25 systems in our sample for which interfaces were an issue, only one\n      management representative had initiated a written interface agreement to support\n      system interfaces that had been identified. From our sampled systems, DISA\n      management stated that 13 systems did not need formal interface agreements\n      because they are telecommunications transport systems and adhere to\n      international standards. As such, DISA management stated that effecting\n      interface agreements for telecommunications transport systems would be\n      unnecessarily time-consumin g and bureaucratic because they are not impacted\n      by date actions tied to Y2K. We agree that formal interface agreements for\n      telecommunications systems may not be appropriate, but also recognize that\n      DOD guidance does not provide an exception for telecommunications systems.\n      DOD may be willing to make that exception if DISA was better able to identify\n      the costs involved.\n\n\n\n\n                                           8\n\x0c          Status of the Defense Information Systems Agency Year 2000 Program\n\n\nFunding\n     To ensure that the DISA will have sufficient funds allocated to resolve the Y2K\n     problem, it must place greater emphasis on estimating and accounting for Y2K\n     costs.\n\n     Estimating Costs for Y2K. The DOD Management Plan suggests that DOD\n     Components conduct a thorough review of resource requirements as part of their\n     overall assessment of the Y2K problem. The plan emphasizes the importance of\n     estimating Y2K costs by using cost factors. Further, the DOD Management\n     Plan allows DOD Components to use any other accurate means to provide a\n     realistic estimate of Y2K costs. However, the DOD and the Office of\n     Management and Budget require estimated Y2K costs to be reported and, if the\n     estimate is made by means other than the cost factors, the DOD Components\n     must identify the methodology used. In addition, the DOD Management Plan\n     suggests frequent updates of Y2K cost estimates as circumstances change.\n\n    DISA has not emphasized the development of Y2K-specific cost estimates. Of\n    24 management representatives, 16 had not attempted to estimate costs related\n    to Y2K. DISA management representatives explained that they considered\n    developing separate Y2K estimates to be unnecessary because Y2K-related costs\n    would be covered by the normal system budgets for update, renovation, or\n    modification. Furthermore, because Congress will not be providing additional\n    funding for Y2K resolution, the DISA management representatives considered\n    budget estimation for Y2K to be unnecessary and time-consuming. DISA must\n    place a greater emphasis on cost estimates with frequent adjustments to keep\n    them current, or it may find that unidentified testing costs will increase the\n    overall Y2K estimated cost.\n\n    Accounting for Y2K Costs. The DOD Management Plan also emphasizes that\n    Congress has requested and will continue to pursue an aggressive total\n    accounting of the cost of Y2K compliance, even though Congress plans no\n    budgetary relief to accomplish the Y2K mission. Management representatives\n    stated that DISA personnel report direct Y2K costs to the Defense Integration\n    Support Tools database and report indirect costs to the DISA Comptroller.\n    Because DISA tracks costs separately, the congressional intent to obtain the\n    actual Y2K program costs is not adequately being met.\n\n\nContingency Plans\n    The DISA has not developed contingency plans for each of its mission-critical\n    systems.\n\n    Definition of Contingency Plan. A contingency plan is a strategy for\n    responding to the loss of a system because of a disaster, such as flood, fire,\n\n\n\n                                         9\n\x0cStatus of the Defense Information Systems Agency Year 2000 Program\n\n\n      computer virus, or major software failure. The DOD Management Plan strongly\n      emphasizes that DOD Components develop realistic contingency plans that\n      include the following:\n\n              l   developing and activating manual or contract procedures to ensure\n      the continuity of core processes.\n\n              l   developing procedures for emergency response, backup, and post-\n      disaster recovery.\n\n             l   developing contingencies in case a data exchange fails to take place\n      as expected from an outside source.\n\n             l    developing expenditures of additional funds to correct any unforeseen\n      problems.\n\n      Furthermore, the DOD Management Plan recommends that DOD Components\n      start the contingency plan in the assessment phase and update them during each\n      subsequent phase.\n\n      DISA Contingency Plan. In our sample, 27 of 30 DISA systems that would\n      continue to be active in the year 2000 did not have a written contingency plan to\n      support operations in case the Y2K solutions failed. The DISA Y2K program\n      manager explained that DISA will not start contingency planning until\n      October 1, 1998. The program manager contends that contingency planning\n      before program implementation will take critical manpower away from the Y2K\n      problem resolution.\n\n     Importance of Contingency Planning. Preparing contingency plans is an\n     essential element of risk management; they should be prepared from the\n     perspective of the business area as well as from the perspective of the system\n     owners and users. The DOD Management Plan states that contingency plans for\n     the year 2000 are much more important than plans for routine system\n     development or maintenance efforts, for which schedule slippages are nonfatal\n     and common. The Y2K program must be completed on time. Without\n     researching the contingencies that are available in case of Y2K system failure,\n     management representatives as well as system users cannot effectively prioritize\n     the efforts required to resolve the Y2K problems.\n\n\nTesting and Compliance Checklists\n\n     DISA may have inappropriately reported systems to the Office of the Secretary\n     of Defense as Y2K compliant. The classification of most of the systems\n     reported as Y2K compliant was not supported by a signed compliance checklist\n     or an acceptable equivalent. Systems should not be moved from the validation\n     phase until they are fully tested and certified as Y2K compliant.\n\n\n\n                                          10\n\x0c           Status of the Defense Information Systems Agency Year 2000 Program\n\n\n     Compliance Checklists. The DOD Management Plan states that DOD\n     Components should develop and document test-and-compliance plans and\n     schedules for each converted or replaced application or system component. It\n     also provides a checklist containing items to be included in the Y2K testing-and-\n     compliance process that helps determine whether a system is compliant. The\n     checklist is an aid for system owners to ensure that their systems are thoroughly\n     tested and properly documented before they are considered to be Y2K\n     compliant.\n\n     Y2K Compliant Systems. In January 1998, DISA reported that 21 of 98\n     mission-critical systems were Y2K compliant, and 49 of 127 non-mission-\n     critical systems were Y2K compliant. In our sample, we looked at 13 systems\n     that DISA considered Y2K compliant and found 10 systems that had been\n     classified as Y2K compliant without being tested, without interface\n     identification being made for those systems, and without the compliance\n     checklists being completed.\n\n     DISA has developed a Y2K-compliance certification plan that provides\n     instructions for determining the compliance of information technology,\n     software, and systems that face a Y2K problem. The compliance certification\n     plan also provides the steps necessary to determine whether modified\n     information technology systems can ensure a smooth transition from the 20th\n     century to the 21st century. Systems that are deemed properly modified will be\n     certified as Y2K compliant. In addition, the compliance certification plan\n     requires certifications from the test manager, system manager, and system\n     customer for each compliance checklist. The DISA is also developing an\n     applications Y2K test bed to provide testing for in-house-generated database\n     applications.\n\n\nContinuing DISA Actions\n\n     DISA is resolving several of the issues addressed in this report. The DISA Y2K\n     program manager is revising the DISA Y2K Management Plan, which will be\n     available for coordination within the DISA Directorates by June 30, 1998.\n     DISA is also writing separate instructions for DISA Year 2000 Certification and\n     Validation Guidance, which incorporates the DOD checklist on compliance and\n     validation and a directive addressing risk management and contingency\n     planning.\n\n\n\nOther Matters of Interest\n\n     In a separate review, the Inspector General, DOD, is also examining the Y2K\n     posture of the Defense Megacenters that DISA owns and operates. These\n     organizations provide mainframe data processing services to functional users in\n\n\n                                        11\n\x0cStatus of the Defense Information Systems Agency Year 2000 Program\n\n\n      the Services and the Defense Agencies. Defense Megacenter Y2K concerns\n      have been tentatively identified in the areas of reporting, testing, and\n      contingency planning.\n\n\nConclusion\n\n      Although DISA has recognized the importance of solving Y2K problems in its\n      systems, it has not emphasized the planning and precautionary strategies that are\n      outlined in the DOD Management Plan to ensure that DISA will be well-\n      positioned to deal with unexpected problems and delays. Unless DISA takes\n      additional measures, it faces a high risk that its mission capabilities and those of\n      supporting DOD Components will be impaired because of Y2K-related\n      disruptions.          -\n\n\n\nRecqmmendations,           Management          Comments,         and\nAu&t Response                     .\n\n\n      We recommend that the Director, Defense Information Systems Agency:\n\n             1. Review changes to the DOD Year 2000 Management Plan, and\n      update the Defense Information Systems Agency Year 2000 Management\n      Plan according to those changes.\n\n              2. Disseminate the regulations, procedures and strategies governing\n      the DOD Year 2000 Management Plan and the Defense Information Systems\n      Agency Year 2000 Management Plan and other guidance to the operating\n      levels.\n\n             3. Require system managers to accurately document the system\n     status in accordance with the exit criteria prescribed in the DOD Year 2000\n     Management Plan.\n\n             4. Complete the identification of all interfaces and communicate the\n     resolutions of the potential year 2000 interface problems to the interface\n     partners.\n\n            5. Refine cost estimates for each system to determine the funding\n     needed.\n\n            6. Develop contingency plans for mission-critical systems that will\n     not complete the %nplementation\xe2\x80\x9d phase by December 199%\n\n           7. Determine systems as year-2000 compliant only after testing and\n     completing the compliance checklists.\n\n\n\n                                          12\n\x0c      Status of the Defense Information Systems Agency Year 2000 Program\n\n\nManagement Comments. The Inspector General, Defense Information\nSystems Agency, generally concurred with the recommendations and described\nongoing actions to implement them. Management will update the DISA Y2K\nManagement Plan to reflect DOD guidance and requirements. Interfaces with\nboth internal and external systems will be identified, and interface agreements\nwill be documented through memorandums of agreement or interface control\ndocuments. Management stated that DOD agreed to exempt communications\ntransport systems from developing formal interface agreements because\nadherence to applicable international and national standards accomplishes the\nsame results. Using the revised guidance in the draft DOD Y2K Management\nPlan, DISA is revalidating Y2K cost estimates but does not anticipate needing\nany additional funding. Contingency plans will be developed for\nmission-critical systems that will not be fully Y2K compliant by September 30,\n1998, or that will not be fully implemented by December 1998. Management\nalso stated that Version 2.0 of the DISA Y2K Management Plan specifically\nrequires that DISA complete a Y2K Compliance Checklist for all systems\nduring the testing phase.\n\nDISA management partially concurred with our recommendations related to\ndissemination of Y2K guidance and requirements and to documenting system\nstatus as prescribed in the DOD Y2K guidance. Management stated that DISA\nhas used and continues to use every means possible to disseminate Y2K\nguidance. In November 1996, the draft DISA Y2K Management Plan, specific\nguidance from DOD and DISA management, and other important Y2K\ninformation was distributed via electronic mail to about 50 managers and Y2K\npoints of contact. Additionally, information on Y2K web sites, and commercial\nand government software and hardware, are sent to Y2K points of contact and\noperating level personnel on an almost daily basis. Further, Y2K-related\ninformation is distributed during frequent Y2K status and progress reviews.\nManagement stated that the system-status and milestone-events information in\nAppendix B of this report is so outdated that the current Y2K status of DISA is\ninaccurate. Currently, exit criteria for the renovation phase are nearly\ncompleted, and test schedules and validation plans for DISA mission-critical\nsystems are being finalized. The status of DISA systems was intensely reviewed\nin April 1998 and is updated monthly. The complete text of management\ncomments is in Part III of this report.\n\nAudit Response. We consider management comments to be generally\nresponsive to all recommendations. We also recognize that DISA has\nsignificantly improved its Y2K program and has made progress in remedying its\nY2K problems since the audit. However, we could not verify DISA comments\nthat DOD officials had agreed to exempt telecommunications transport systems\nfrom developing specific Y2K interface agreements. The present draft Version\n2.0 of the DOD Management Plan does not provide such an exemption, and the\nstaff in the Office of Year 2000 Oversight and Contingency Planning was not\naware of any plans to include such a provision. We request that DISA clarify\nrequirements for establishing interface agreements for telecommunications\ntransport systems with DOD Y2K officials and provide comments on this aspect\nof the final report, including estimated completion dates for any planned\nactions, by September 4, 1998.\n\n                                   13\n\x0c\x0cPart II - Additional Information\n\x0cAppendix A. Audit Process\n       This is one of a series of reports being issued by the Inspector General, DOD, in\n       accordance with an informal partnership with the Chief Information Officer,\n       DOD, to monitor DOD efforts to address the Y2K computing challenge. For a\n       listing of audit projects addressing this issue, see the Y2K webpage on IGNET\n       at (http:Ilwww.ignet.gov/).\n\n\nScope\n       We reviewed the progress that DISA has made in resolving the Y2K computing\n       issue. The review included interviews conducted with 24 management\n       representatives who are responsible for making 35 DISA systems Y2K\n       compliant. Also, we evaluated documentation supporting actions taken to\n       resolve Y2K deficiencies within specific DISA systems. We compared the\n       DISA Y2K efforts with those described in the DOD Management Plan issued by\n       the Assistant Secretary of Defense (Command, Control, Communications, and\n       Intelligence) in April 1997. We assessed the efforts related to the progression\n       of the 35 DISA systems reported in detail in Part I through the five-phase\n       management process, using documents that included Office of Management and\n       Budget guidance, the DOD Management Plan, the DISA Y2K Management\n       Plan, DISA Y2K Test and Validation Guidelines, and systems inventory\n       database information.\n\nDOD-Wide Corporate Level Government Performance and Results Act (GPRA)\nGoals. In response to the GPRq the Department of Defense has established 6 DOD-wide\ncorporate-level performance objectives and 14 goals for meeting the objectives. This\nreport pertains to achievement of the following objectives and goals.\n\n       l   Objective:   Prepare now for an uncertain future. Goal: Pursue a focused\n           modernization effort that maintains U.S. qualitative superiority in key war\n           fighting capabilities. (DoD-3)\n\nDOD Functional Area Reform Goals.       Most major DOD functional areas have also\nestablished performance improvement reform objectives and goals. This report pertains\nto achievement of the following functional area objectives and goals.\n\n       l   Information   Technology Management      Functional Area.    Objective:\n           Become a mission partner. Goal: Serve mission information users as\n           customers. (ITM-1.2)\n\n       l   Information   Technology Management      Functional Area.    Objective:\n           Provide services that satisfy customer information needs. Goal: Modernize\n           and integrate Defense information infrastructure. (ITM-2.2)\n\n\n\n                                           16\n\x0c                                    Appendix A. Audit Process and Prior Coverage\n\n\n       l   Information Technology Management Functional Area. Objective:\n           Provide services that satisfy customer information needs. Goal: Upgrade\n           technology base. (ITM-2.3)\n\nGeneral Accounting Office High-Risk Area. The General Accounting Office (GAO)\nhas identified several high-risk areas in the DOD. This report provides coverage of the\nInformation Management and Technology high-risk area.\n\n\nMethodology\n\n       Audit Type, Dates, and Standards. We performed this economy and\n       efficiency audit from October 1997 through March 1998 in accordance with\n       auditing standards issued by the Comptroller General of the United States, as\n       implemented by the Inspector General, DOD. We did not use computer-\n       processed data or statistical sampling procedures for this audit.\n\n       Contacts During the Audit. We visited or contacted individuals and\n       organizations within DOD. Further details are available upon request.\n\n       Management Control Program. We did not review the management control\n       program related to the overall audit objective because DOD recognizes the Y2K\n       issue as a material management control weakness area in the FY 1997 Annual\n       Statement of Assurance.\n\n\nPrior Coverage\n\n       The General Accounting Office and the Inspector General, DOD, have\n       conducted multiple reviews related to Y2K issues. General Accounting Office\n       reports can be accessed over the Internet at http://www.gao.gov. Inspector\n       General, DOD, reports can be accessed over the Internet at\n       http://www.dodig.osd.mil.\n\n\n\n\n                                          17\n\x0cAppendix B. Summary of Defense Information\nSystems Agency Systems Reviewed\n\n\n\n\n                     18\n\x0c                                              Knowledge of            Documented                  Completed                 Completed                 cost                                          Certified as\n                                               Management                  Y2K                     Interface                 Interface             Estimates             Documented                      Y2K\n               System\n    ................     Name                      Plan\n                 ..............................................................................  Identification            Agreements\xe2\x80\x99\n                                                                                                                                ............\n                                                                        Stratedes........................................................          RePorted\n                                                                                                                                          ...............            contingency\n                                                                                                                                                       .............................  Plans         ComPliants\n                                                                                                                                                                                                     ......................\n                                                                                                                                                                               ..... ....................\n      Advanced Deft     Red                         No                     No                         Yes                       No                    No                       No                        Yes\n      Switch Network Integrated\n      Management Support\n      System \xe2\x80\x99\n\n      Anti-Drug Network\xe2\x80\x99                            No                     No                         YeS                       No                    No                       No                       N/A\n\n      Airtields Database\xe2\x80\x99                           No                     No                         YeS                       No                    No                       No                        Yes\n\n      Automated Resources                          YeS                     No                         YCS                       No                    Yes                      No                        Yes\n      Management System\xe2\x80\x9d\xe2\x80\x99\n\n      Communications                               Yes                     YeS                        Yes                       No                    No                      No                         Yes\n      Management and Control\n      Activity Automated\n      Billing System\n\n      Corporate Database for                       Y*l                     No                        N/A                        N/A                   No                       No                        Yes\n      Windows\xe2\x80\x99\n\n      Counter Drug Intelligence                     No                     YeS                        Yes                       No                    No                      Yes                       N/A\n      system\xe2\x80\x99\nz\n      Defense Information                          YeS                     No                        N/A                        N/A                  Yes                      No                         No\n      Systems Agency\n      Acquisition Bulletin Board\n      System5\n\n      Database Commitment                                                  No                         YeS                       N/A                   No                      No                         Yes\n      Accounting System for\n      Windows5\n\n      Defense Information                          YeS                     YtS                        No                        No                    No                      No                         No\n      Infrastructure-Common\n      Operating Environment\n\n      Defen.95 Information                          No                     No                         YE'                       No                   Yes                      No                         No\n      System Network\xe2\x80\x99\n\n      Defense Information                          No                      No                         YeS                       No                   YeS                      No                         YeS\n      System Network-\n      Asynchronous Transfer\n      Mode\xe2\x80\x99\n\n      Defense Information                          No                      No                        Yes                        No                   Ye.5                     No                         YeS\n      System Network Channel\n      Service Unit and Data\n      Service Unit\xe2\x80\x99\n\x0c     ............................................................................................................................................................................................................................................................................\n\n\n\n\n                                                                                                                                                                                                                          Knowledge of                                              Documented   Completed                  Completed               cost                                           certified as\n                                                                                                                                                                                                                          Management                                                    Y2K       Interface                  b&face              Estiites               Documented                     Y2K\n     ..............\n                Srn.~??!!?~......................\n                                             ..?.!\n                                                t!!!.................\n                                                                  .SE??!~ti~.?.\n                                                                          ...........\n                                                                                   .._e!!!G?!!?!                                                                                                                                                                                                              ...........   -me\xe2\x80\x99    .            Reported\n                                                                                                                                                                                                                                                                                                                                        ...............             Contingency\n                                                                                                                                                                                                                                                                                                                                                      .............................  Plans\n                                                                                                                                                                                                                                                                                                                                                                              ..........................\n                                                                                                                                                                                                                                                                                                                                                                                                   G?.?!R!k!!:. ....\n                Global Omunand and                                                                                                                                                                                                                   YeS                               No           No                         No                   No                      No                        No\n                Control System\n\n\n                Global Combat Support                                                                                                                                                                                                                YeS                               Yes          No                         No                   No                      No                        No\n                 System\n\n                Global On-line Marine                                                                                                                                                                                                                  No                              No           Yes                        No                  YeS                      No                        No\n                Edit and Report System\n\n\n                Integrated Resource                                                                                                                                                                                                                    No                              YeS          Yes                        No                   No                      No                       YeS\n                Management system\n\n\n                 Mission Requirements                                                                                                                                                                                                              N/A                                 N/A          N/A                       N/A                  N/A                     N/A                       N/A\n                 ROpII?\n\n\n\n                Nuclear Planning and                                                                                                                                                                                                               NIA                                 N/A          N/A                       N/A                  N/A                     N/A                       N/A\n                Execution Syste.m9\n!3\n                 Pass Ultra Programmable \xe2\x80\x99                                                                                                                                                                                                          Yes                                No           No                         No                   No                      No                        No\n\n                Telecommunication                                                                                                                                                                                                                      No                              No           N/A                       N/A                   No                     Yes                       YeS\n                Service Priority\xe2\x80\x99 \xe2\x80\x99 5\n\n\n                White House                                                                                                                                                                                                                         Yes                                Yes          No                         No                   No                      No                        No\n                Communications Agency\n                Pqcrty Book System\n\n                 WarehouseInventor\n                                                                                                                                                                                                                                                   N/A                                 NIA          N/A                       N/A                  N/A                     N/A                       NIA\n                Systrm\xe2\x80\x99\n\n\n\n\n                      \xe2\x80\x99 Not applicable responses refer to those systems that do not have any external interfaces or internal interfaces.\n                      * Responses of not applicable refer to those systems that are not beyond the renovation phase.\n                      3 Telecommunications transport system requiring waiver/exemption.\n                      4 Replacement system or system scheduled to be replaced.\n                      \xe2\x80\x99 Stand alone systems.\n                      6 System owned by the National Security Agency.\n                      \xe2\x80\x99 Initially identified as being in the renovation phase but the system was retired in July 1997.\n                      \xe2\x80\x99 Retired.\n                      9 System transferred to the Air Force and Air Force expects the system to be implemented by January 1999.\n\x0cAppendix C. Report Distribution\n\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition and Technology\n  Director, Defense Logistics Studies Information Exchange\nUnder Secretary of Defense (Comptroller)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nUnder Secretary of Defense for Personnel and Readiness\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n  Year 2000 Oversight and Contingency Planning Office\nAssistant Secretary of Defense (Health Affairs)\nAssistant Secretary of Defense (Public Affairs)\n\nJoint Staff\nDirector, Joint Staff\n\nDepartment        of the Army\nAssistant Secretary of the Army (Financial Management and Comptroller)\nAuditor General, Department of the Army\nChief Information Officer, Army\n\nDepartment        of the Navy\nAssistant Secretary of the Navy (Financial Management and Comptroller)\nAuditor General, Department of the Navy\nChief Information Officer, Navy\n\nDepartment        of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\nChief Information Officer, Air Force\n\n\n\n\n                                         21\n\x0cAppendix C. Report Distribution\n\n\n\n\nOther Defense Organizations\nDirector, Defense Contract Audit Agency\nDirector, Defense Logistics Agency\nDirector, National Security Agency\n   Inspector General, National Security Agency\nInspector General, Defense Intelligency Agency\nDirector, Defense Information Systems Agency\n   Inspector General, Defense Information Systems Agency\n   Chief Information Officer, Defense Information Systems Agency\n\n\nNon-Defense Federal Organizations                 and Individuals\nOffice of Management and Budget\n   Office of Information and Regulatory AfTairs\nTechnical Information Center, National Security and International Affairs Division,\n   General Accounting Office\nDirector, Defense Information and Financial Management Systems, Accounting and\n   Information Management Division, General Accounting Office\n\nChairman and ranking minority member of each of the following congressional\n  committees and subcommittees:\n\n   Special Committee on the Year 2000 Technology Problem\n   Senate Committee on Appropriations\n   Senate Subcommittee on Defense, Committee on Appropriations\n   Senate Committee on Armed Services\n   Senate Committee on Governmental Affairs\n   House Committee on Appropriations\n   House Subcommittee on National Security, Committee on Appropriations\n   House Committee on Governmental Reform and Oversight\n   House Subcommittee on Government Management, Information, and Technology,\n      Committee on Government Reform and Oversight\n   House Subcommittee on National Security, International Affairs, and Criminal\n      Justice, Committee on Government Reform and Oversight\n   House Committee on National Security\n\n\n\n\n                                          22\n\x0cPart III - Management Comments\n\x0cDefense Information Systems Agency Comments\n\n\n                        DEFENSE INFOfWATlON SYSTEMS AGENCY\n                                     lol~amlnaBRw\n                                  --a2wam\n\n\n        Inspector    General                                 26 June 1998\n   z%\n\n        MEMORANDUM\n                FOR INSPECTORGENERAL,DEPARTMENT OF DEFENSE\n                   ATTN: Director, Acquisition Management\n\n        SUBJECT\n              :             Comments to DODIGDraft Audit Report on\n                            DISA\xe2\x80\x99s Year 2000 Program\n\n        Reference:          DQDIGDraft Report, Audit on Management of\n                            the Defense Information Systems Agency Year\n                            2000 Program (Project No. 8AS-OOOS), 27 May\n                            1998\n\n\n        1. The Year 2000 Problem has been and continues to be the\n        Director\xe2\x80\x99s   Number 1 priority,  especially for the mission\n        critical   systems.  It has received increased top management\n        visibility   weekly since October 1997, when the Vice\n        Director started chairing the DISA Y2K Weekly Updates.\n        Prior to that date, the Director held several in-process\n        reviews and the Chief Information Officer held monthly\n        reviews.\n\n        2. While DISA concurs with the recommendations of the\n        referenced report, we note that DISA has made tremendous\n        progress since the audit observations were made and most of\n        the recommended actions are well underway.\n\n        3. The point of contact for this action is Mr. Thomas J.\n        Nicholas, Special Assistant to the IG for Y2K. He can be\n        called   at (703) 6074315    or by email at nichoiat@ncr.disamil.\n\n        FOR THE DIRECTOR:\n\n\n\n\n        1 Enclosure   a/s\n                                          Inspector   General\n\n\n\n\n                                             24\n\x0c                         Defense Information Systems Agency Comments\n\n\n\n\n     MMAGMWP~STQTOIGDRAFTJUJDITRBORTON\n    -0FTEEDEoglpsE           IlmxwATIrn SYsTmS AGmm\n          YEAR 2000 PRaRN4 (Pxojact Ho. SJLS-0005)\n\n\nThe DODIG recommends that the Director,   Defense Information\nSystems Agency:\n\n1. Review changes to the DODYear 2000 Management Plan,\nand update the Defense Information Systems Agency Year 2000\nManagement Plan according to those changes.\n\nDISA Response: Concur. As noted in the draft report we\nwill issue Version 2.0 DISA Year 2000 Problem Management\nPlan by 30 June 1998 at the end of our Renovation Phase. It\nis based on the latest draft of the DoD Year 2000\nManagement Plan, which is expected to be final before 30\nJune 1998.\n\n2. Disseminate the regulations,  procedures and strategies\ngoverning the DODYear 2000 Management Plan and the Defense\nInformation Systems Agency Year 2000 Management Plan and\nother guidance to the operating levels.\n\nDISA Response: Partially    concur. Downwardcommunication is\na vital part of any effort.     However, DISA has used and\ncontinues to use every means possible to disseminate Y2K\nguidance to Program Managers and others.     Drafts of the\nDISA Y2K Problem Management Plan, specific    guidance from\nDODand management, and other important documents were\ndistributed  to about 50 managers and Y2K Points of Contact\nvia email in November 1996. The first DODY2K Management\nPlan was distributed  in April 1997.\n\nReferences to Y2K web sites,   information on commercial and\ngovernment off-the-shelf    (COTS/COTS)software and hardware,\ntest results,   and the latest guidance on Y2K have been\ndisseminated to the Y2K points of contact and operating\nlevel personnel via email on a daily basis.     Moreover, both\nweekly and monthly meetings have served to keep DlSA staff\nand operating managers apprised of the problems and the\nprogress of our Y2K challenge.     Weekly Y2K updates have\nbeen held with the Vice Director, Chief of Staff, and\nsenior managers since October 1997. These frequent       Y2K\nprogress review meetings of the key management officials\nand Y2K Coordinators also serve as a forum to distribute\nthe latest and most relevant reports, schedules, and Y2K\n\x0cDefense Information Systems Agency Comments\n\n\n\n\n          guidance documents.      Subsequently, this data along with\n          certification    and testing guidance is formally placed on\n          the DISA/DoD/JITC and other relevant web pages.      The draft\n          DoD and draft DISA Year 2000 Management Plans were\n          distributed   via electronic   mail in March 1998 to all\n          Program Hanagers, Y2K Points of Contact, and other DISA\n          system representatives.      The final versions will be\n          disseminated in a similar fashion and copies will be placed\n          on the DoD and/or DISA web pages.\n\n          3. Require system managers to accurately document the\n          system status in accordance with the exit criteria\n          prescribed in the DODYear 2000 Management Plan.\n\n          DISA Response: Partially    concur.  However, the data in\n          Appendix B to this report is now so outdated that it gives\n          an inaccurate picture of the DISA\xe2\x80\x99s true Y2K status at the\n          end of June 1998. Continuous monitoring of systems\n          progress through the phases has been occurring and reported\n          as a standard feature of the Y2K weekly management\n          briefing  to the Vice Director and Chief of Staff. In\n          addition,   an accurate track record is kept of the progress\n          of each system from one phase to the next.     At this time,\n          exit criteria   for the Renovation Phase are nearly completed\n          for almost all systems.     Test schedules and validation\n          plans are being finalized    for DISA\xe2\x80\x99s mission critical\n          systems.    In addition,  new DODand DISA reporting\n          requirements call for step by step updates on the status of\n          Y2K by phase.    The status of DISA mission critical     and\n          support systems was scrubbed in April 1998 and is being\n          updated monthly.\n\n          4. Complete the identification    of all interfaces   and\n          communicate the resolutions   of the potential,   Year 2000\n          interface problems to the interface partners.\n\n          DISA Response: Concur. Complete identification       and\n          documentation of interfaces    and interface agreements has\n          been underway since our initial     inventory in 1996. DISA has\n          identified  internal system interfaces     during the assessment\n          phase; however, identification    of external interfaces    has\n          taken longer.    Nevertheless,  this is an ongoing effort as\n          our systems and networks are dynamic and the number of\n          interfaces  change frequently.    Documentation of the Y2K\n          compliance of the interfaces    may take the form of\n          applicable  international   and national standards, interface\n          control documents, or memoranda of agreement (MOA),\n\n\n\n\n                                             26\n\x0c                           Defense Information System Agency Comments\n\n\n\n\ndepending on the nature of the interface.    In the case of\nthe Global Commandand Control System [GCCS) we have\nidentified 20 external interfaces   that have potential Y2K\nimpacts and we are preparing MOAsfor each one. We expect\nto complete our documentation efforts by 30 June 1998, the\ncurrent DODmilestone.    DISA obtains recurring   reports on\nthe status of interfaces  from system managers and presents\nprogress reports to the Vice Director at the weekly Y2K\nmanagement meeting.\n\nTo assist DISA in the interface identification     effort,  the\nDODIGis requested to follow up on its concurrence that\n\xe2\x80\x9cformal interface   agreements for telecosnnunications systems\nmay not be appropriate\xe2\x80\x9d   (page 9, Par 1).   WD has ag:eed to\ninclude guidance in their next Year 2000 Management Plan\nmaking an exception for systems such as telecommunications\ntransport systems where interface agreements are not\nappropriate because national and international     standards\nappropriately  define the interface.\n\n5. Refine cost estimates    for each system to determine the\nfunding needed.\n\nDISA Response: Concu:.   However, no additional   funding is\nanticipated  or needed.  Recovery of the cost of Year 2000\nefforts already undertaken, in order to then carry our the\noriginal planned enhancements to our systems, would be\nextremely beneficial.   We are presently revalidating   the\ncost estimates for remediation of our Mission Critical\nsystems using the revised guidance in the draft DODY2K\nManagement Plan. All of the Y2K Points of Contact have\nbeen tasked to document their Y2K cost estimates.     We will\nhave a better total cost estimate by 1 July 1998.\n\n6.  Develop contingency plans for mission-critical systems\nthat will not complete the \xe2\x80\x9cimplementation\xe2\x80\x9d phase by\nDecember 1998.\n\nDISA Response: Concur. All mission critical systems that\nwill not complete full Y2K compliance by September 30,\n1998, or full implementation by December 1998, will have a\nsystem contingency plan developed by December 1999.\n\n7. Determine systems as year 2000 compliant only after\ntesting and completing the compliance checklists.\n\n\n\n\n                                  27\n\x0cDefense Information Systems Agency Comments\n\n\n\n\n          DISA Response: Concur. Version 2.0 of the DISA Year 2000\n          Problem Management Plan requires that a DISA Y2k Compliance\n          Checklist be completed for all DISA systems that uere\n          renovated, or that replace prior systems, during the\n          Validation   Phase. Our concentration has been on fixing Y2R\n          problems in computation or interchange in our mission\n          critical   systems, as quickly as possible,   so that our\n          customers can build on our solutions,    while continuing to\n          meet the warfighter\xe2\x80\x99s   needs.   The paperwork was left to the\n          Validation   Phase when a more complete set of Year 2000\n          compliance criteria   were available and the documentation\n          requirements were more firmly set.\n\x0cAudit Team Members\n\nThis report was prepared by the Acquisition Management Directorate, Office of\nthe Assistant Inspector General for Auditing, DOD.\n\nThomas F. Gimble\nPatricia A. Brannin\nMary Lu Ugone\nJames W. Hutchinson\nJoAnn Henderson\nHugh G. Cherry\nKathleen Fitzpatrick\nJennifer L. Zucal\nLabib A. Baltagi\nSonya M. Mercurius\nWendy Stevenson\nKrista S . Gordon\n\x0c\x0c"